OPAL server and client architecture

[abdullahalrifat]

What i understand OPAL server is responsible for pulling changes from all the data sources and notify OPAL client and then OPAL client will be responsible to update OPA with updating the policy changes.
But why in this architecture design OPAL client pulling changes from api,db? am i missing something?
There is a concept where we can trigger policy change in realtime from our mentioned source through publish event and it stored in OPA cache. Is the design mentioning that?

[orweis]

One of the key aspects of the OPAL architecture is decoupling the data plane and the control plane - enabling security best practices such as Zero Trust and 'need-to-know basis'.

If for every update the data gets sent through the OPAL-server we'd create a weak point where all the senstive data is pooled at.

Instead with OPAL the server sends instructions on where to get the data instead of the data itself.

This also allows OPAL to serve distributed networks and VPC - without having them open up to external connections. The residing OPAL-client can access the data locally (e.g. dbs and servics within the local network), according to the given instruction without the data ever leaving the network.

In addition this provides improved performance and lower latency, while keeping a unified control plane, thanks to the locality of the OPAL-client.

You can read more about the concept here.

Note: OPAL 0.2.1 added the ability to send data directly as part of an update, but we don't encourage that.

Policy changes (while using the same pub/sub channel) are separate from data updates. By default OPAL-server tracks a Git repository, but it can also track a Bundle server. Both either by using a webhook or by polling.